How To: Lock Down Windows with SteadyState
Anyone who manages – or even uses – shared computers in places such as libraries, workplaces, or even at home, knows that shared computers have a great tendency to become “junked up”. Often times, guests of public computers take it upon themselves to install third-party software, change configurations, infect the machine with malware, etc. While a lot of these user modifications can be prevented with the implementation of Microsoft’s “Group Policy”, the use of such technique often limits the user’s ability to get the most out of the session, and also huge a great reputation for being difficult to manage.
However, with the implementation of Windows SteadyState, a free tool from Microsoft, system administrators can configure a computer to discard any and all changes upon restart of a computer. What this means, is that a user can do and install whatever they want during their computer session, but once they restart, the system will be wiped of all changes. This situation is in a sense the best of both worlds for Windows administrators, because it allows them to give users the freedom they need, and also reduces the need for system maintenance, Windows re-installs, re-imaging, etc.
To start the SteadyState installation process, head over to Microsoft’s website; microsoft.com. There, use the search bar to search for “SteadyState”.
In the search results page, the informational page for Windows Steadystate should be the first result. Click on the result entitled “Windows SteadyState”.
Once on the SteadyState informational page, you will find more information as to what SteadyState is and what it does. This information is available both textually, and as video overviews. Once you’ve determined that SteadyState is for you, simply click on the “Download” button on the main informational page.
After clicking on the “Download” button, you will be re-directed to the “Download details” page. From there, you will be asked to validate that you have a legitimate copy of Microsoft Windows. To do so, click on the “Continue” button that precedes the “Validation Required” text. Depending on the browser you are using, you will be asked to download an executable file that will generate a code to be entered for validation. If you use Microsoft’s Internet Explorer web browser, your experience will be slightly different, as you will be asked to install an ActiveX control for verification.
After having validated the legitimacy of your Microsoft Windows installation, you will be brought back to the download page, this time given the ability to click on the “Download” button preceding the words “Genuine Microsoft Software”.
At this point, you should be able to download a MSI (Microsoft Installer) file. Download the file (about six and a half megabytes), and launch it to begin the installation wizard. Once you’ve read over the licensing terms, select the “I accept the License Terms” radio box and select the “Next” button.
Again, you will be asked to validate the legitimacy of your Windows Installation. Fortunately, this validation goes a lot quicker, and is simply a matter of clicking on the “Validate” button and allowing the program to “phone home”, ensuring that you are not running an illegal or pirated version of Windows.
Directly following the completion of the validation process, installation of the SteadyState program will begin. This process should only take a minute or so. During the installation you will see a command line box that will show the starting of the newly installed service; this is part of the installation process and is nothing to be concerned about. Once installation is completed, you will be presented with a dialog entitled “Installation Successful”, in which you simply need to click “Next”. After being prompted to install the Windows Live toolbar, you will be able to launch Windows SteadyState from your start menu.
In the main SteadyState window, you will notice that the hard disk protection feature (Windows Disk Protection) is marked as being off. To enable it, click on the “Protect the Hard Disk” button, and select the radio box entitled “On” in the following window. From here, you will be instructed that by enabling Windows Disk Protection, you will be creating a large cache on your hard drive (to store a copy of your “standard” configuration), and that you will loose an amount of hard drive space. If you accept this change, simply click on the “Yes” button in the dialog that appears. Doing so will start the process of a driver installation, which will take a few minutes depending on the size of your hard drive and the size of the cache that needs to be created. Lastly, you will be prompted to restart your computer so that changes can take effect.
With Windows SteadyState successfully installed and configured, any non-administrator user on the system will loose all of his/her work, settings, configurations, modifications, etc whenever they shut down. The computer administrator, on the other hand, will be given a dialog at shutdown/restart which will give him or her the ability to keep modifications to the system. This can be handy for adding or updating software, as well as ensuring that nesessary changes can be made to the system.
I recommend that you inform system users about the risk of data loss, and advise them to store their information on an outside source such as Google Docs, or via removable media such as pen-drive, or storage on a home server. Additionally, if you choose to use a clean copy of Windows, you can create an empty data partition in advanced, giving users a local place to store their files without the need to save on the Windows partition.
All in all, the Windows SteadyState service is truly a convenient feature for system administrators, as it drastically lowers the amount of maintenance they have to put into their systems following malicious use. However, in some environments such as those where locally saving information is crucial, SteadyState may not be a reasonable thing to use.